Limit retries for secured directory with .htaccess file

gemmajid · 01-30-2017, 11:53 PM

I'm using Ubuntu 14.04 with apache web server enabled, due to security concern i have password protected apache directory with .htaccess.

Is it possible to block too many password attempts ?

Regards,

Majid Hussain

bathory · 01-31-2017, 03:03 AM

Quote:

Originally Posted by gemmajid

I'm using Ubuntu 14.04 with apache web server enabled, due to security concern i have password protected apache directory with .htaccess.

Is it possible to block too many password attempts ?

Regards,

Majid Hussain

This is possible either using fail2ban, or the mod_security apache module.

See the following examples about their usage: fail2ban, mod_security

Regards

gemmajid · 01-31-2017, 04:56 AM

Thank you bathory for your quick response, i had tried fail2ban but it's not working. It doesn't block any thing.

bathory · 01-31-2017, 06:16 AM

Quote:

Originally Posted by gemmajid

Thank you bathory for your quick response, i had tried fail2ban but it's not working. It doesn't block any thing.

What did you try and it's not working?
There is the "apache-auth" jail that does exactly what you want. See the example in my previous post if you need help to configure fail2ban and apache-auth in ubuntu

gemmajid · 01-31-2017, 06:41 AM

I have followed your fail2ban example and did exactly same procedure but unfortunately it's not working, policy didn't banned my ip.

Further i have some other rules as well which are working fine.

bathory · 01-31-2017, 07:39 AM

Quote:

Originally Posted by gemmajid

I have followed your fail2ban example and did exactly same procedure but unfortunately it's not working, policy didn't banned my ip.

Further i have some other rules as well which are working fine.

Are you sure you've enabled the apache jail and ignoreip does not list your IP(s)?
?

Code:

[apache]
enabled  = true
...
ignoreip = x.x.x.x
...

And you can always check if the jail regexes work in your case, by taking a line from error_log and test it against fail2ban-regex like this:

Code:

fail2ban-regex '[Tue Jan 31 15:05:58 2017] [error] [client 127.0.0.1] user guest: authentication failure for "/test": Password Mismatch' /etc/fail2ban/filter.d/apache-auth.conf

Habitual · 01-31-2017, 09:14 AM

Test it?

Code:

fail2ban-regex /var/log/apache2/error.log /etc/fail2ban/filter.d/apache-auth.conf

gemmajid · 01-31-2017, 11:21 PM

I'm getting some thing like below while testing.

Quote:

Running tests
=============

Use failregex file : /etc/fail2ban/filter.d/apache-auth.conf
Use log file : /var/log/apache2/error.log

Results
=======

Failregex: 0 total

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
| [38] WEEKDAY MONTH Day Hour:Minute:Second[.subsecond] Year
`-

Lines: 38 lines, 0 ignored, 0 matched, 38 missed
Missed line(s): too many to print. Use --print-all-missed to print all 38 lines

bathory · 02-01-2017, 12:29 AM

Quote:

Lines: 38 lines, 0 ignored, 0 matched, 38 missed

Could you post these38 lines of error.log here?

gemmajid · 02-01-2017, 01:02 AM

Have a look

Quote:

Lines: 21 lines, 0 ignored, 0 matched, 21 missed
|- Missed line(s):
| [Wed Feb 01 11:45:14.783583 2017] [ssl:warn] [pid 19607] AH01906: TestingServer:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
| [Wed Feb 01 11:45:15.000331 2017] [:warn] [pid 19607] mod_wsgi: Compiled for Python/2.7.8.
| [Wed Feb 01 11:45:15.000410 2017] [:warn] [pid 19607] mod_wsgi: Runtime using Python/2.7.9.
| [Wed Feb 01 11:45:15.004018 2017] [mpm_prefork:notice] [pid 19607] AH00163: Apache/2.4.10 (Ubuntu) OpenSSL/1.0.1f mod_wsgi/3.5 Python/2.7.9 configured -- resuming normal operations
| [Wed Feb 01 11:45:15.004100 2017] [core:notice] [pid 19607] AH00094: Command line: '/usr/sbin/apache2'
| [Wed Feb 01 11:48:20.539715 2017] [mpm_prefork:notice] [pid 19607] AH00169: caught SIGTERM, shutting down
| [Wed Feb 01 11:48:21.389386 2017] [ssl:warn] [pid 20182] AH01906: TestingServer:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
| [Wed Feb 01 11:48:22.000681 2017] [:notice] [pid 20182] ModSecurity for Apache/2.8.0 (http://www.modsecurity.org/) configured.
| [Wed Feb 01 11:48:22.001087 2017] [:notice] [pid 20182] ModSecurity: APR compiled version="1.5.1-dev"; loaded version="1.5.1"
| [Wed Feb 01 11:48:22.001359 2017] [:warn] [pid 20182] ModSecurity: Loaded APR do not match with compiled!
| [Wed Feb 01 11:48:22.001375 2017] [:notice] [pid 20182] ModSecurity: PCRE compiled version="8.31 "; loaded version="8.35 2014-04-04"
| [Wed Feb 01 11:48:22.001391 2017] [:warn] [pid 20182] ModSecurity: Loaded PCRE do not match with compiled!
| [Wed Feb 01 11:48:22.001499 2017] [:notice] [pid 20182] ModSecurity: LUA compiled version="Lua 5.1"
| [Wed Feb 01 11:48:22.001520 2017] [:notice] [pid 20182] ModSecurity: LIBXML compiled version="2.9.1"
| [Wed Feb 01 11:48:22.002914 2017] [:notice] [pid 20182] ModSecurity: StatusEngine call: "2.8.0,Apache,1.5.1-dev/1.5.1,8.31/8.35 2014-04-04,Lua 5.1,2.9.1,460d391b147a8b1ea73a938993d7f2a9b93a5584"
| [Wed Feb 01 11:48:22.109494 2017] [:notice] [pid 20182] ModSecurity: StatusEngine call successfully sent. For more information visit: http://status.modsecurity.org/
| [Wed Feb 01 11:48:22.165535 2017] [ssl:warn] [pid 20184] AH01906: TestingServer:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
| [Wed Feb 01 11:48:23.001110 2017] [:warn] [pid 20184] mod_wsgi: Compiled for Python/2.7.8.
| [Wed Feb 01 11:48:23.001298 2017] [:warn] [pid 20184] mod_wsgi: Runtime using Python/2.7.9.
| [Wed Feb 01 11:48:23.010172 2017] [mpm_prefork:notice] [pid 20184] AH00163: Apache/2.4.10 (Ubuntu) OpenSSL/1.0.1f mod_wsgi/3.5 Python/2.7.9 configured -- resuming normal operations
| [Wed Feb 01 11:48:23.010584 2017] [core:notice] [pid 20184] AH00094: Command line: '/usr/sbin/apache2'

gemmajid · 02-01-2017, 01:23 AM

i assumed that attempt failure logs are not generating at error.logs file as i'm unable to view any entry there further modsecurity is enabled at my server.

modsecurity_audit.log have details of authentication attempts.

bathory · 02-01-2017, 01:57 AM

Quote:

Originally Posted by gemmajid

i assumed that attempt failure logs are not generating at error.logs file as i'm unable to view any entry there further modsecurity is enabled at my server.

modsecurity_audit.log have details of authentication attempts.

Failed attempts should be logged like in my post #6
Now if mod_security is logging those attempts in a different logfile, then adapt apache-auth regexes accordingly

But since you have mod_security enabled, why don't you use it to ban brute-force attacks?

gemmajid · 02-01-2017, 02:19 AM

ok, can you guide me where to add that script which you have posted earlier.

bathory · 02-01-2017, 03:59 AM

Quote:

Originally Posted by gemmajid

ok, can you guide me where to add that script which you have posted earlier.

What script? You mean the mod_security example?
I think it's self explanatory. In the example the poster uses mod_security to protect /sessions
And of course the code goes into the apache config file (apache2.conf for ubuntu), or if it's for a vhost, into the vhost config (/etc/apache2/sites-available/vhost-config)

gemmajid · 02-01-2017, 06:08 AM

Quote:

Originally Posted by bathory

What script? You mean the mod_security example?
I think it's self explanatory. In the example the poster uses mod_security to protect /sessions
And of course the code goes into the apache config file (apache2.conf for ubuntu), or if it's for a vhost, into the vhost config (/etc/apache2/sites-available/vhost-config)

I have followed the modsecurity example mentioned by you earlier, i have entered codes in vhost file as well but no success yet.